Lucene search

K
centosCentOS ProjectCESA-2015:0869
HistoryApr 22, 2015 - 2:47 p.m.

kmod, kvm security update

2015-04-2214:47:16
CentOS Project
lists.centos.org
66
kvm
full virtualization
linux kernel

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.2%

CentOS Errata and Security Advisory CESA-2015:0869

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for
the standard Red Hat Enterprise Linux kernel.

It was found that KVM’s Write to Model Specific Register (WRMSR)
instruction emulation would write non-canonical values passed in by the
guest to certain MSRs in the host’s context. A privileged guest user could
use this flaw to crash the host. (CVE-2014-3610)

A race condition flaw was found in the way the Linux kernel’s KVM subsystem
handled PIT (Programmable Interval Timer) emulation. A guest user who has
access to the PIT I/O ports could use this flaw to crash the host.
(CVE-2014-3611)

Red Hat would like to thank Lars Bull of Google and Nadav Amit for
reporting the CVE-2014-3610 issue, and Lars Bull of Google for reporting
the CVE-2014-3611 issue.

All kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. Note: The procedure in
the Solution section must be performed before this update will take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-April/083247.html

Affected packages:
kmod-kvm
kmod-kvm-debug
kvm
kvm-qemu-img
kvm-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:0869

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.2%